A list of HIV patients names, addresses and social security numbers were kept on a shared government server

For nine months, the confidential data just sat there, where hundreds of employees could reach it.

The identities of thousands of Tennesseans with HIV or AIDS, both living and dead, were listed in a computer database kept on a server accessible to the entire staff of the Nashville Metro Public Health Department.

Metro Public Health keeping exceptionally confidential HIV patient data on an unsecured server, where any of more than 500 employees could access or copy it.

Lacy Atkins, Nashville Tennessean

But it was more than just a list of names. With just a few clicks, the database would reveal their social security numbers, birthdays, addresses, lab results and some of the intimate secrets of private lives.

Were they gay, bisexual or transgender? The database could tell you.

Did they ever use illegal drugs? The database could tell you that too.

Two months ago, officials at Metro Health discovered a detailed database containing medical information about Middle Tennessee HIV and AIDS patients was stored on a shared computer server open to the entire agency.

The database was supposed to be accessible to only three government scientists, but instead was in reach of more than 500 employees, most of whom do not do any work related to HIV or AIDS.

Metro Health officials say they don’t believe the database was improperly opened during the nine months it was on the shared server because there is at least some evidence the file was never touched. However, the agency does not know for sure because a server auditing feature — which tracks activity on the server — had been left inactive.

With no auditing, an employee potentially could have copied the data onto a thumb drive and taken it home, leaving no trace.

This potential breach, publicly reported for the first time in this story, is a serious misstep for Nashville government, which has damaged a delicate relationship with the Middle Tennessee’s HIV community by exposing some of their most private information.

During an interview with The Tennessean last week, three HIV community leaders worried that HIV-positive people would now be less likely to seek treatment, and those who are at risk for infection will be unwilling to get tested, out of fear that their identities will be carelessly mishandled by the government.

“They know that, if this information got into the wrong hands, they could lose their family,” said Brady Dale Morris, 42, who has been HIV positive for about a decade.

“They could lose their jobs. They could lose their insurance. They could lose their homes. They could be kicked out of their church. There all kinds of implications and ramifications – being HIV positive goes into every nook and cranny of our existence.”

Morris, who is chairman of the Nashville Regional HIV Planning Council, spoke about the potential breach last week alongside Larry Frampton, the public policy director at Nashville CARES, and Thunder Kellie Hampton, and HIV advocate with Street Works. All three officials have made their HIV status public, but stressed the majority of the HIV community maintains their status as a carefully-guarded secret.

Some fear being outed more than sickness or death, they warned.

“People literally are scared to death that their family and friends are going to find out they are positive,” Frampton said. “They are going to literally freak over this. They’ll think that their life is literally coming to an end.”

“If that list is circulating, that scares me,” Hampton added. “The work I do in the community is trying to get people in to get in to get tested or get on to treatment. … I think the gut reaction for many people when they find out about this is ‘I don’t want to get tested. I don’t want my information out there.’

HIV/AIDS database kept since 1983

The private information that was placed on the shared server at Metro Health came from the Enhanced HIV/AIDS Reporting System, widely known as eHARS, a nationwide database that has been collected by the federal government since 1983.

HIV patients are automatically added to eHARS when their infection is first confirmed in a laboratory test, which means many people are in the database even if they keep their condition a secret and eschew support services. Even death does not remove you from the database.

Although the EHARS database includes patient information from across the country, Metro Health has said the portion of the database that was made vulnerable was limited to 12 Middle Tennessee counties: Cannon, Cheatham, Davidson, Dickson, Hickman, Macon, Robertson, Rutherford, Smith, Sumner, Trousdale, Williamson and Wilson.

“... If this information got into the wrong hands, they could lose their family.”

-&nbspBrady Dale Morris, HIV community leader

Normally, eHARS is used to study and help combat the HIV epidemic, providing the single best data about patients and infections at a state, county or city level. This is especially true in Middle Tennessee, an HIV high-risk region, where eHARS data is used to allot millions in federal funding for support, treatment and prevention programs.

Despite this funding, the community leaders said many HIV patients remain wary of the mere existence of a database, concerned that if their status is ever documented on a government list it could someday be revealed and misused.

For many in Nashville, this incident is the realization of those fears, Morris said.

“I know that’s its necessary to have a list for us to be able to end the epidemic,” Morris said. “But this is one of the few institutions that have been entrusted with this information. And they have failed us.”

Metro Health: Data not breached 'to our knowledge'

The potential HIV data breach was first revealed in Metro Health documents obtained by The Tennessean last month, and the incident was later confirmed by agency officials.

Brian Todd, a spokesman for the Metro Health, said in an email statement that a portion of the eHARS database was moved from a secure portion of the agency’s shared computer server in July 2017.

The data was initially moved to a server folder reserved for the Ryan White Program, an HIV grant program, then moved again a day or two later to another server folder that was accessible to all Metro Health employees. The data stayed in this folder until it was discovered by an employee in April.

“I think the gut reaction for many people when they find out about this is ‘I don’t want to get tested.'”

-&nbspThunder Kellie Hampton, HIV community leader

Metro Health officials say they believe no one opened the misplaced database during those nine months.

“To our knowledge, only the employee who moved the file to the public folder inappropriately accessed the file, simply by moving it,” Todd said in an email. “Her intent was to provide access to an epidemiologist within the department to analyze the data, but that epidemiologist never opened the file. So the personal information in the database was, to our knowledge, never inappropriately accessed.”

Todd stressed that Metro Health does not believe the database had been improperly accessed for two primary reasons: First, the eHARS database was kept in an uncommon file format, known as SAS, which is used by only eight agency employees; and second, metadata attached to the file showed it had not been “modified” since it was uploaded to the shared server last summer.

Neither of these reasons are proof the private data is still private, however. Computer files can be duplicated without modifying their metadata, and a version of the SAS program can be legally downloaded by anyone for free online. The server's 'auditing' feature, which normally tracks all activity on the server, had been left off.

Therefore, anyone with access to Metro Health’s shared server could potentially have copied the database and then opened later on a computer outside of the building.

Regardless, Public Health Director Bill Paul released a statement saying the data was safe.

“We know of no employees that opened the file and the private information remained, and remains, private and protected,” Paul said.

The misplaced EHARS database is not the first time Metro Health has been careless with HIV patient records either.

In 2014, the agency admitted that a filing cabinet of decade-old records on about HIV patients was accidentally sent to the main office for Metro Nashville Public Schools instead of a surplus warehouse. In that case, Metro Health also said they did not believe the documents were misused.

Ryan White program put data on shared server

Sylakowski was named in an email about the incident written by Shoana Anderson, a former Metro Health bureau director.

Anderson, who was one of the first employees to know about the misplaced database, wrote an email to the agency’s leaders, warning that the eHARS data should “never be placed in a location where it could be accessed by those who do not have authorization to view the data.”

Todd, the Metro Health spokesman, told The Tennessean the database incident was investigated internally but no employees were disciplined as a result.

Instead, Todd said the agency “used the opportunity to educate the employee” and “took steps to prevent similar incidents in the future,” including creating a new server with tighter security intended specifically for sensitive data.

More from The Tennessean

Metro Health also reported the incident to the Tennessee Department of Health, but the state agency did not conduct its own investigation and instead relied upon the findings of the internal investigation which "did not reveal any data had been made public," said spokeswoman Elizabeth Hart.

Metro Health did not consider the incident a violation of the Health Insurance Portability and Accountability Act, or HIPAA, which oversees patient confidentiality, so the agency did not notify the HIV community about the incident.

As a result, the potential breach has remained largely unknown in the HIV community, spread only as rumor prior to this story, according to Hampton, Morris and Frampton. Morris said several community members are now in discussion with a lawyer and a class-action lawsuit is likely to filed against the city government.

Frampton said he filed an official HIPAA complaint with the federal government law week, encouraging authorities to conduct their own investigation.

“I think it’s going to be a cut-and-dry case,” Frampton said. “It’s obviously a HIPAA violation. It sat on an unprotected server and no one noticed it for nine months. Anyone could have gotten this.”

Brett Kelman is the health care reporter for The Tennessean. He can be reached at 615-259-8287 or at brett.kelman@tennessean.com. Follow him on Twitter at @brettkelman.